A Plan for Thwarting Cyber Fraud

27/03/2015

The losses suffered by Sony Pictures Studios after it fell victim to a cyberattack last November will run into the millions of dollars. The group of hackers, nicknamed the “Guardians of Peace”, broke into the company’s computer systems and made off with hundreds of confidential documents. This was all intended as payback for the release of a film ridiculing North Korea’s dictatorial regime. Never before has a comedy wreaked such havoc.

The ordeal made news worldwide, reminding us that even major companies are vulnerable to cyberattacks. What about SMEs? How can a business protect its critical data from cyber criminals?

A poorly-understood risk

While business managers have become more aware of the risk that cyber fraud represents, “they haven’t necessarily developed plans for managing these incidents,” maintains Corey Anne Bloom, a partner in MNP’s Investigative & Forensic Services practice, as well as their Forensic Technology Consulting Services.

Are executives and employees trained to recognize cyber fraud attempts? Are computer systems secure? In other words, in 2015, how do you put up a wall between your organisation and cyber criminals?

The many faces of cyber fraud

Trojan Horses, phishing, viruses, and other malware programs: cyber fraud takes many forms and creative computer hackers dream up new ones every day.

“Fraudulent electronic funds transfers are really prominent right now,” says Corey Anne Bloom. “For example, a person in the accounting department of a business receives an email that appears to come from a known supplier, stating that payment via bank transfer should be made to such-and-such account number from now on. The employee makes the transfer, not suspecting that the email is fraudulent. Authentication parameters for bank sites can also be intercepted in order to make electronic funds transfers to accounts held by the scammers.”

Phishing attempts also occur frequently. And even though they generally target individuals, businesses may suffer collateral damage. So an employee who, at his workplace, answers a fake email claiming to come from his bank “could thereby help to infect the business’ entire network,” says Ms. Bloom.

This said, the notion that these misdeeds are the work of a teenage computer hacker operating from a dimly-lit bedroom could not be further from the truth. Today, cyber criminals form highly structured groups, in which tasks are allocated as they are in a business: one group takes care of obtaining authentication parameters and another takes care of making money from them.

However, it should still be noted that most cyber fraud threats come from internal sources. “Sometimes it’s an employee who commits these acts intentionally,” Ms. Bloom explains. “Other times, it’s just because an employee hasn’t followed the company’s policies.”

A prevention plan

Policies, in fact, are the starting point for any good action plan that businesses should develop to minimise cyber fraud risks. “In the case of a fraudulent funds transfer, it would’ve been easy to avoid the worst-case scenario if there had been a policy in place stating that a phone call must be made to a supplier in order to authorize a bank account change,” says Corey Anne Bloom.

Moreover, this type of plan should cover technological risks by ensuring that the business’ IT equipment is always up to date. This will be a challenge. Within Canadian organisations, a number of computers are still running on the Windows XP operating system, despite the fact that Microsoft stopped updating it in 2014. “SMEs that are still using XP are more vulnerable to hacking,” states Corey Anne Bloom.

On the other hand, an action plan should also consider the human risk. “What I think is most important,” Ms. Bloom continues, “is training executives and employees to understand why and how cyber fraud occurs.”

Experts as backup

With the risk of cyber fraud increasing, a growing number of businesses are calling upon an emerging area of expertise: computer forensics.

Investigative and forensic accounting has long been recognized. This legal discipline investigates commercial crime or financial fraud by spotting illegal accounting records or instances of fiscal sleight of hand.

A subfield of investigative and forensic accounting, computer forensics focuses on financial cyber crimes. “We have software programs that enable us to find undiscovered evidence, for example, from among a million emails, or to recover data that may have been removed from a hard drive.”

From now on, computer forensics, a new facet of investigative and forensic accounting, comes with the territory for 21st-century businesses and should be paid very close attention.